FV2 and a JSS 8 to 9 upgrade

dpertschi
Valued Contributor

8.73 here with no experience running encryption yet, version 9 upgrade imminent.

If I had to start encrypting laptops now with our 8.73 JSS, are there any areas of interest or concern when we upgrade to 9.x in a month or two?

The process of key creation, configuration a deployment appear mostly the same as best I can tell from the white papers.

2 ACCEPTED SOLUTIONS

Chris
Valued Contributor

I upgraded from 8.73 to 9.61 today and haven't noticed any issues regarding FV2 so far,
apart from this one https://jamfnation.jamfsoftware.com/discussion.html?id=12390

View solution in original post

mm2270
Legendary Contributor III

No, you can't just upload a new Individual Recovery Key to the JSS if somehow it gets lost along the way. These are keys that are generated at the time of encryption and only apply to the Mac it was enabled on. The institutional Key (if used) applies to all Casper encrypted Macs. That may be the key you're thinking about. I do recommend using an Institutional and Individual key setup BTW.
The individual Key gets picked up during a recon after encryption is initiated. It gets placed into a special xml file on the Mac that recon sees and scoops up, and places into an encrypted field inside the database for that Mac record.
the workflow @jasonaswell][/url mentions does work for reassigning a new key to a Mac, but there are caveats you should be aware of. For one, it only works on Macs running 10.9+. if you have any 10.8.x Macs you enable encryption on, the workflow of generating a new Recovery key will not work for them if you should need to do that. It also requires that your Casper service account be enabled for FV2 on the Mac, or that an existing individual recovery key for that Mac is present in the JSS record. If, like us, you'd rather not have your service account show up at the FV2 pre-boot screen and only want the primary user enabled, the workflow may not work for you. Here is the "requirements" section from one of the PDFs about that process:

Requirements To issue a new individual recovery key to a computer, the computer must have: • OS X v10.9 • A “Recovery HD” partition • FileVault 2 activated • One of the following conditions met: • The management account configured as the FileVault 2-enabled user • An existing, valid individual recovery key that matches the key stored in the JSS

All that said, losing Recovery keys is, as I mentioned, very very unlikely, so its probably not much of a concern really. I just wanted to mention it since you're talking about turning on FileVault. I still think if it were me, unless there was a real pressing need to do it now, would just wait until after the upgrade to begin that.

View solution in original post

7 REPLIES 7

Chris
Valued Contributor

I upgraded from 8.73 to 9.61 today and haven't noticed any issues regarding FV2 so far,
apart from this one https://jamfnation.jamfsoftware.com/discussion.html?id=12390

mm2270
Legendary Contributor III

Hey @dpertschi - the process should be basically the same on either version, but if you're planning a 9 upgrade, it may just make more sense to wait to start any encryption policies. partly because you may be able to make better use of some of the new features 9 brings as you roll it out, like the Notification Center messaging function (Management Action.app) for example.
Also, though very very unlikely, I've seen some rare cases where Recovery Keys go missing on some systems after the upgrade. You do not want to lose those keys of course, so, unless you're required to begin encryption now, if you can wait to start after the upgrade, I would consider that.
If you're required to start before, there shouldn't be any major worries.

NowAllTheTime
Contributor III

If you have to start encrypting now, and you find yourself in the unlikely scenario of losing keys in the process of upgrading the JSS, you can create a policy to issue new recovery keys and then clients will receive and report their new keys as they check back in. You can check out the technical papers on administering FileVault with Casper Suite here to see how to create a policy that does this: http://www.jamfsoftware.com/resources/administering-filevault-2-with-the-casper-suite/

dpertschi
Valued Contributor

Well that stinks! I was hoping for something prohibitive that I could use as justification to delay until after the upgrade! Because, yes, that makes sense. That's all good to hear though if I'm forced down that road.

Help me understand though about potential recovery key loss. If that were to occur, aren't we just talking about the keys uploaded to the JSS encryption configuration. I'd think I'd just re-upload or create new. I don't following how that would relate to or impact an encrypted client.

mm2270
Legendary Contributor III

No, you can't just upload a new Individual Recovery Key to the JSS if somehow it gets lost along the way. These are keys that are generated at the time of encryption and only apply to the Mac it was enabled on. The institutional Key (if used) applies to all Casper encrypted Macs. That may be the key you're thinking about. I do recommend using an Institutional and Individual key setup BTW.
The individual Key gets picked up during a recon after encryption is initiated. It gets placed into a special xml file on the Mac that recon sees and scoops up, and places into an encrypted field inside the database for that Mac record.
the workflow @jasonaswell][/url mentions does work for reassigning a new key to a Mac, but there are caveats you should be aware of. For one, it only works on Macs running 10.9+. if you have any 10.8.x Macs you enable encryption on, the workflow of generating a new Recovery key will not work for them if you should need to do that. It also requires that your Casper service account be enabled for FV2 on the Mac, or that an existing individual recovery key for that Mac is present in the JSS record. If, like us, you'd rather not have your service account show up at the FV2 pre-boot screen and only want the primary user enabled, the workflow may not work for you. Here is the "requirements" section from one of the PDFs about that process:

Requirements To issue a new individual recovery key to a computer, the computer must have: • OS X v10.9 • A “Recovery HD” partition • FileVault 2 activated • One of the following conditions met: • The management account configured as the FileVault 2-enabled user • An existing, valid individual recovery key that matches the key stored in the JSS

All that said, losing Recovery keys is, as I mentioned, very very unlikely, so its probably not much of a concern really. I just wanted to mention it since you're talking about turning on FileVault. I still think if it were me, unless there was a real pressing need to do it now, would just wait until after the upgrade to begin that.

NowAllTheTime
Contributor III

@mm270 thanks for clarifying about the OS version, and service account requisites for issuing new recovery keys. I failed to mention that in my post, although it is called out in the documentation I linked to.

@dpertschi best of luck with your roll out of FileVault encryption. Like @mm2270 states, if you can hold off for a bit until you upgrade that will definitely guarantee the least amount of risk.

dpertschi
Valued Contributor

Ok Mike, I'm with you now. I thought we were talking about the key pair that I upload to the encryption config. But your talking about the individual key within a computer record. Got it, I think.

Thanks guys.